Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

workflows: fix usage of untrusted input in check links #3029

Merged
merged 1 commit into from
Oct 22, 2024
Merged

workflows: fix usage of untrusted input in check links #3029

merged 1 commit into from
Oct 22, 2024

Conversation

mtardy
Copy link
Member

@mtardy mtardy commented Oct 22, 2024

A user could create a branch with a particular name that would trigger a command injection because we use this input directly in the shell scripts generation. See more details in
https://securitylab.github.com/resources/github-actions-untrusted-input/.

This also updates the lychee action that no longer need an explicit GITHUB_TOKEN env variable lycheeverse/lychee-action#195 and reduce the permissions needed by the token in both check links workflows.

Reported-by: Piergiorgio Ladisa piergiorgio.ladisa@hotmail.it

@mtardy mtardy added the release-note/ci This PR makes changes to the CI. label Oct 22, 2024
@mtardy mtardy requested a review from ferozsalam October 22, 2024 09:27
@mtardy mtardy requested review from willfindlay and a team as code owners October 22, 2024 09:27
@mtardy
workflows: fix usage of untrusted input in check links
f19bbe1 
A user could create a branch with a particular name that would trigger a
command injection because we use this input directly in the shell
scripts generation. See more details in
https://securitylab.github.com/resources/github-actions-untrusted-input/.

This also updates the lychee action that no longer need an explicit
GITHUB_TOKEN env variable lycheeverse/lychee-action#195 and reduce the
permissions needed by the token in both check links workflows.

Reported-by: Piergiorgio Ladisa <piergiorgio.ladisa@hotmail.it>
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
@mtardy mtardy force-pushed the pr/mtardy/cmd-injection branch from 630be43 to f19bbe1 Compare October 22, 2024 09:31
@mtardy mtardy merged commit 2017609 into main Oct 22, 2024
40 checks passed
@mtardy mtardy deleted the pr/mtardy/cmd-injection branch October 22, 2024 09:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevsecurity kevsecurity kevsecurity approved these changes

@ferozsalam ferozsalam ferozsalam approved these changes

@willfindlay willfindlay Awaiting requested review from willfindlay

Assignees
No one assigned
Labels
release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mtardy @ferozsalam @kevsecurity